Katherine Bongat Kyle Lockley Trevor Touchet 1

OWASP Assignment

The Open Web Application Security Project, or OWASP, is an international nonprofit

charitable organization set on improving the security of software. Their main goal is to provide

impartial (unbiased) and practical information about application security (AppSec) to all

individuals and groups, including corporations, universities, government agencies and other

organizations, worldwide, in order to help them make informed decisions concerning software

security. In order to provide the information for software security, the OWASP community

builds documents, tools, teaching environments, guidelines, checklists, and other materials to

improve everyones capability to produce secure code. OWASP operates as an open

organization, meaning that everyone is free to participateeven their website is maintained like

that of a Wikipedia page, using over 45,000 participants of global volunteers to review changes

to help ensure quality. Their website is not the only aspect of their organization that is

wide-open. The use of all their materials, though vendor neutralthey dont recommend or

endorse commercial products or servicesare available to the public under a free and open

software license. A free and open software license means that it can be freely used, modified,

and shared, as approved by the Open Source Initiative (OSI), not to be confused with the Open

Systems Interconnection model, whose acronym is also OSI. The core values of the Open Web

Application Security Project are open, innovation, global, and integrity. Open refers

to OWASP intending for everything about them to be radically transparent from their finances to

their code. Innovation refers to the encouragement and support of innovation and experiments

for solutions to software security challenges. Global refers to OWASP encouraging anyone
 Katherine Bongat Kyle Lockley Trevor Touchet 2

around the world to participate in the OWASP community. Lastly, integrity refers to OWASP

being an honest and truthful, vendor neutral, global community.

A6 - Sensitive Data Exposure

Sensitive Data Exposure is what happens when you dont properly keep your sensitive

data concealed behind firewalls and encryptions. Any credit card information, social security

numbers, phone numbers, addresses, passwords, and logins are many of the possible types of

data that could be used maliciously if left out in the open. Leaving this information unencrypted

can leave your company and your employees vulnerable to identity fraud, credit card, and

possible hacking.

The first step to protecting your sensitive data is to encrypt it, which masks the data to the

naked eye and cannot be viewed properly without the key to the encryption. The next step would

to not store any unnecessary data that you dont need. For instance, if you dont need someones

social security number, dont store that information anywhere. You cant have information

stolen that you dont possess. Another tip is to properly keep your keys in a safe place, and

never share them with anyone you do not trust, as well as passwords. With passwords you need

to store them with a specific algorithm specially made for password protection such as scrypt or

PBKDF2. One last thing to do would be disabling autocomplete and caching to prevent any data

remnants to appear on forms from previous data entries. By taking all of these steps to protect

your data, you eliminate all the easy ways of getting free data. Simply taking these preventive

measures shuts the door on anyone peering into your servers trying to find anything they can use

against you. Encryption will keep anyone out who doesnt have the proper keys to decrypt, and

keeping strong passwords will shield your system from people trying to guess their way in.
 Katherine Bongat Kyle Lockley Trevor Touchet 3

Operator-sided Data Leakage

The second item in OWASPs top ten privacy risks is known as operator-sided data leakage.

This essentially means that data that has been entrusted to be stored with a third-party has been

compromised while in possession of the third-party. For example, millions of users had given the

organization Yahoo information for storage such as names, addresses, phone numbers, and the

like. When Yahoo was hacked and the attackers stole a large amount of this user data,

operator-sided data leakage had occurred. While there isnt a surefire way to prevent another

organization from losing a customers data in a breach, certain steps can be taken to reduce the

likelihood of becoming a victim of this privacy risk. First, before committing data to a certain

operator, conduct research on the operator to ensure they have a good reputation and reliability.

Things to consider when evaluating an operator can include: how many, if any, breaches have

occurred in the past, whether or not the provider proves that they are proactive in securing their

users private data, and what standards the operator follows or what certifications they possess.

Next, after an operator has been chosen, they should be continually audited to ensure good

privacy practice are still in place. Acceptable audits can be paper-based or interview-based,

however on-site audits with system checks would be the best. Aside from ensuring the operator

is doing its best to secure the private data they are storing, certain steps can be taken by the

customer to ensure, in the event of a breach, nothing of extreme value will be lost. The first and

most obvious measure to simply not entrust the provider with storing any sensitive information.

If classified data must be given to the operator, the customer can first perform encryption,

anonymization, or pseudonymization on the data, the only downside being increased overhead

when the data needs to be sent or retrieved.